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Abstract 

Structural properties ol two well-known families of keystream genera- 
tors, Shrinking Generators and Cellular Automata, have been analyzed. 
Emphasis is on the equivalence of the binary sequences obtained from both 
kinds of generators. In fact, Shrinking Generators (SG) can be identified 
with a subset of linear Cellular Automata (mainly rule 90, rule 150 or a 
hybrid combination of both rules). The linearity of these cellular mod- 
els can be advantageously used in the cryptanalysis of those keystream 
generators. 

1 Introduction 

Cellular Automata (CA) are discrete dynamic systems characterized by a simple 
structure but a complex behavior [TJ [2l [3] . This configuration makes them very 
attractive to be used in the generation of pseudorandom sequences. In this sense, 
C A are studied in order to obtain a characterization of the rules (mapping to the 
next state) producing sequences with maximal length, balancedness and good 
distribution of l's and O's. From a cryptographic point of view, it is fundamental 
to analyze some additional characteristics of these generators, such as linear 
complexity or correlation-immunity. The results of this study point toward the 
equivalence between the sequences generated by CA and those obtained from 
Linear Feedback Shift Registers-based models [I]. 

In this paper, CA hybrid configurations constructed from combinations of 
rules 90 and 150 are considered. In fact, a linear model that describes the 
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behavior of a kind of pseudorandom sequence generator, the so-called shrinking 
generator (SG), has been derived. In this way, the sequences generated by SG 
can be studied in terms of CA. Thus, all the theoretical background on CA 
found in the literature can be applied to the analysis and/or cryptanalysis of 
shrinking generators. 

2 General description of the basic structures 

The two basic structures are introduced: 
2.1 The Shrinking Generator 

It is a very simple generator with good cryptographic properties [S]. This gen- 
erator is composed by two LFSRs: a control register, called R\ 1 that decimates 
the sequence produced by the other register, called i?2- The sequence produced 
by the LFSR that is {a^}, controls the bits of the sequence produced by 
i?2, that is {bi}, which are included in the output sequence {cj} (the shrunken 
sequence) , according to the following rule: 

1. If cii = 1 =^ Cj = bi 

2. If <Zj = => bi is discarded. 
Example 1: Consider the following LFSRs: 

1. Ri with length L\ = 3, feedback polynomial 1 + D + D 3 and initial state 
(1, 0, 0). The sequence obtained is {0, 0, 1, 1, 1, 0, 1} with period 7. 

2. i?2 with length = 4, feedback polynomial 1 + £> 3 + D 4 and initial state 
(1,0,0,0). The sequence obtained is {0,0,0,1,0,0,1,1,0,1,0,1,1,1,1} 
with period 15. 

The output sequence {cj} will be determined by: 

• {a. t } -+ 001 1101001 1 1010 

• {k} -+000100110101111 

• {cj} -+01011011 

The underlined bits or 1 in {6,} are discarded. 
According to [5] , the period of the shrunken sequence is 

T = (2 L2 - l)2 (il " 1) (1) 

and its linear complexity, notated LC, satisfies the following inequality 

£ 2 2(£i-2) < LC < L 2 2^ Ll -^ . (2) 
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A simple calculation allows one to compute the number of l's in the shrunken 
sequence. Such a number is 

7Vo.l's = 2 (L2 - 1) 2 (Ll - 1) . (3) 

Thus, the shrunken sequence is a quasi-balanced sequence. Since simplicity is 
one of its most remarkable characteristics, this scheme is suitable for practical 
implementation of efficient stream cipher cryptosystems. 

2.2 Cellular Automata 

An one-dimensional cellular automaton can be described as a n-cell register, 
whose binary stages are updated at the same time depending on a fc-variable 
function [3] also called rule. If k = 2r + 1 input variables are considered, then 
there is a total of 2 fc different neighborhood configurations. Therefore, for a 
binary cellular automaton there can be up to 2 2 different mappings to the next 
state. Such mappings are the different rules $. In fact, the next state x\ +l of 
the cell x\ depends on the current state of k neighbor cells 

x i = ^( x i~r> ■ ■ • 1 X i> ■ • • ) X i+r) (^) 

If these functions are composed exclusively by XOR and/or XNOR operations, 
then CA are said to be additive. In this case, the next state (x\ +1 , . . . 
can be computed from the current state (a;* , . . . , a4) such as follows: 

( x l~ j •••) a 4 +1 ) = •••) X n)-A + C (5) 

where A is an n x n matrix with binary coefficients and C is the complemen- 
tary vector. 

In CA, either all cells evolve under the same rule [uniform case) or they 
follow different rules [hybrid case). At the ends of the array, two different 
boundary conditions are possible: null automata whether cells with permanent 
null content are supposed adjacent to the extreme cells or periodic automata 
whether extreme cells are supposed adjacent. 

In this paper, all automata considered will be null hybrid CA with rules 90 
y 150. For k = 3, these rules are described such as follows : 

• rule 90 -> x\ +1 = + x\ +1 

111 110 101 100 011 010 001 000 
10 110 10 

01011010 (binary) = 90 (decimal). 

• rule 150 -> = x\_ x + x\ + x\ +l 

111 110 101 100 011 010 001 000 
10 10 110 

10010110 (binary) = 150 (decimal). 

The main idea of this work is to write a given SG in terms of a hybrid 
cellular automaton, where at least one of its output sequences equals the SG 
output sequence. 
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3 A shrinking generator linear model in terms 
of cellular automata 



In this section, an algorithm to determine the one-dimensional linear hybrid 
CA corresponding to a particular shrinking generator is presented. Such an 
algorithm is based on the following facts: 

Fact 1: The characteristic polynomial of the shrunken sequence [5] is of the 
form 

P(D) N (6) 

where P{D) is a L2-degree primitive polynomial and N satisfies the in- 
equality 2( Ll ~ 2 > < N < 2 ( - Ll ~ 1 \ 

Fact 2: P(D) depends exclusively on the characteristic polynomial of the 
register i?2 and on the length L\ of the register R±. Moreover, P(D) is 
the characteristic polynomial of cyclotomic cos et 2 Ll - 1, see gj. This 
result can be proved in the same way as the lower bound on the LC is 
derived in reference [S]. 

Fact 3: Rule 90 at the end of the array in a null automaton is equivalent to 
two consecutive rules 150 with identical sequences. Reciprocally, rule 150 
at the end of the array in a null automaton is equivalent to two consecutive 
rules 90 with identical sequences. 

According to the previous facts, the following algorithm is introduced: 
Input: Two LFSR's i?i and i?2 with their corresponding lengths, L\ and L 2 , 
and the characteristic polynomials Pi(E>) of the register R 2 . 

Step 1: From L\ and P%{D), compute the polynomial P(D). In fact, P(D) 
is the characteristic polynomial of the cyclotomic coset E, where E = 
2° + 2 1 + ... + 2 L i- 1 . Thus, P{D) = (D + a E )(D + a 2E )...{D + a 2Ll ~ lE ) 
a being a primitive root in GF(2 L2 ). 

Step 2: From P(D), apply the Cattell and Muzio synthesis algorithm [B] to 
determine the two linear hybrid CA whose characteristic polynomial is 
P(D). Such CA are written as binary strings with the following codifica- 
tion: = rule 90 and 1 = rule 150. 

Step 3: For each one of the previous binary strings representing the CA, we 
proceed: 

3.1 Complement its least significant bit. The resulting binary string is 
notated S. 

3.2 Compute the mirror image of S, notated S* , and concatenate both 
strings S c — S * S* . 

3.3 Apply steps 3.1 and 3.2 to S c recursively Li — 1 times. 
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Output: Two binary strings codifying the CA corresponding to the given 

SG. 

Remark that the characteristic polynomial of the register i?i is not needed. 
Due to the particular form of the shrunken sequence characteristic polynomial, 
it can be noticed that the computation of the CA is proportional to L\ instead 
of 2 Ll . Consequently, the algorithm can be applied to SG in a range of cryp- 
tographic interest (e.g. Li,L 2 ~ 64). In order to clarify the previous steps a 
simple numerical example is presented. 

Example 2: Consider the following LFSRs: R\ with length L\ = 2 and R 2 
with length L 2 — 5 and characteristic polynomial P2{D) = 1+D + D 3 +D 4 + D 5 . 

Step 1: P(D) is the characteristic polynomial of the cyclotomic coset 3. Thus, 
P{D) = 1 + D 2 + D 5 . 

Step 2: From P(D) and applying the Cattell and Muzio synthesis algorithm, 
two linear hybrid CA whose characteristic polynomial is P(D) can be 
determined. Such CA are written as: 

1111 
11110 

Step 3: The two binary strings of length L = 10 representing the required CA 
are: 

1110 1110 
1111111111 

with the corresponding codification above mentioned. The procedure has 
been carried out once as L\ — 1 = 1. 

From L = 10 known bits of the shrunken sequence {cj}, the whole sequence, 
whose period T = 62, can be easily reconstructed. In fact, let {cj} be of the 
form 

{cj} = {0 1 1 1 1 1 ...}, 

then the initial state of the cellular automaton can be computed from right to 
left (or viceversa), according to the corresponding rules 90 and 150. Tables 
1 depicts the computation of the initial state for the first automaton. The 
shrunken sequence is placed at the most right column. 
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90 150 150 150 90 90 150 150 150 90 

1 1 1 1 1 
1 1 1 
1 110 1 10 
110 1 11 
10 1 1 
1110 
10 1 
1 
1 

1 

Table. 1 - The shrunken sequence is at the most right column 

Once the corresponding initial states are known, then the cellular automata 
will produce their corresponding output sequences and the shrunken sequence 
can be univocally determined. 

In fact, CA computed by the previous algorithm will generate all the possible 
sequences {xi} that are solutions of the difference equation 

[P(E)f 1 - 1 {x l } = (7) 

E being the shifting operator on xi (i.e. Ex L — The shrunken se- 

quence {cj} is just a particular solution of the previous equation. The different 
sequences {x^ are distributed into the different state cycles of each automa- 
ton. Once a specific sequence is fixed in a particular cell, e. g. the shrunken 
sequence at the most right cell in the previous example, the location of the 
other sequences is univocally determined. In addition, every particular solution 
{xi} can be generated by every automaton cell depending on the state cycle 
considered. In terms of LFSR-based generators, the solution sequences {xi} 
correspond to sequences generated by different combinations of LFSRs: clock- 
controlled shrinking generators [7J, shrinking generators with distinct rules of 
decimation, irregular clocking of the register i?2 based on particular stages of 
the register Ri etc. All these generators are included in a simple automaton. 



4 Applications of the CA-based model to the 
cryptanalysis of the shrinking generator 

Since a linear model describing the behavior of the SG has been derived, the 
cryptanalysis of such a generator can be considered from different points of view: 

• Crytanalysis based on the SG linear complexity: attacking the SG through 
its linear complexity requires the knowledge of LC bits of the shrunken 
sequence, LC being its linear complexity, or equivalently, the length of the 
cellular automaton. Remark that this is just half the sequence required by 
the Berlekamp-Massey algorithm [5] to reconstruct the original sequence. 
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• Crytanalysis based on the Linear Consistency Test (LCT): The linear 
consistency test [9] is a general divide-and-conquer cryptanalytic attack 
that can be applied to the SG on the basis of the linear models provided 
by the cellular automata. This attack would require the exhaustive search 
through all possible initial states of the LFSR R 2 - 

• A new attack that exploits the weaknesses inherent to the CA-based linear 
model can be also considered. Such an attack will be specified in next 



5 Phaseshift analysis of CA sequences 

If the Bardell's algorithm to phaseshift analysis of CA [TU] is applied, then it is 
possible to calculate the relation among the sequences obtained from CA. In fact, 
in |10) it was shown that the characteristic equation determines the recursion 
relationship among the bits in the output sequences of a hybrid 90/150 CA. A 
shift operator was used in conjunction with a table of discrete logarithms to 
determine the phaseshift analytically. 

Although the characteristic equation in [10] is a primitive polynomial P(D), 
it can be proved that the algorithm is valid for P(D) n too. 

Example 3: Let us consider a CA with the following characteristics: 

• The automaton length L = 10 

• Rule distribution: 0011001100 

• P(D) = (1+D + D 2 + D 4 + D 5 ) 2 . 

Let S be a shift operator defined in GF(2) which operates on Xi, the state 
of the z-th cell , such as follows: 



section. 



Xi{t + l) = SXi{t) 



(8) 



we can write 



X 1 {t + l)=X 2 {t) 



(9) 



as 



SX 1 {t)=X 2 (t) 



(10) 



or simply 



SXi — X 2 . 



(11) 
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The difference equation system is as follows: 





= x 2 


sx 2 


= x, + x 3 


sx 3 


= X2 + X3 + X4 


sx 4 


= X 3 + X4 + x§ 


sx 5 


= X4 + x$ 


sx 6 


= x b + x 7 


sx 7 


= Xq + x 7 + x$ 


sx s 


= X7 + Xg + X 9 


sx 9 


= X% + X w 


SXio 


= x 9 



Expressing each Xi as a function of X10, we obtain the following system: 



x x = 


(5 9 + S 4 + S 3 + S 2 - 


^S+1)X 10 


x 2 = 


(S 8 + S 6 + S 5 + S 4 - 


\-S 3 + S+l)X : 


x 3 = 


(S 7 + S 6 + S 5 + S 3 - 


h i)x w 


x A = 


(S e )X 10 




x b = 


(S 5 + S 3 + 1)X 10 




x 6 = 


(S 4 + S)X W 




X 7 = 


(S 3 + S 2 + 1)X 10 




X s = 


(S 2 + l)X w 




x 9 = 


(S)X 10 





Now taking logarithms in both sides, 

log^) = log(S 9 + S 4 + S 3 + S 2 + S + 1) + log(X w ) 

log(X 2 ) = log(S s + S 6 + S 5 + S 4 + S 3 + S + l) + 

+ log{X w ) 

log{X 3 ) = log{S 7 + S 6 + S 5 + S 3 + 1) + log{X w ) 

log{X A ) = log(S 6 ) + log(X w ) 

log{X b ) = log(S 5 + S 3 + 1) + log{X w ) 

log(X 6 ) = log(S 4 + S) + log{X w ) 

log(X 7 ) = log(S 3 + S 2 + 1) + log{X w ) 

log{X s ) = log{S 2 + l) + log(X w ) 

log(X 9 ) = log(S) + log{X w ) 

On the other hand, we have: 

D 26 modP(D) = D 2 + 1. (12) 
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Next we define, 



log(D) = 1 



(13) 



According to the algorithm proposed by Bardell, we can identify the follow- 
ing equations: 



and, 



log(X 9 ) 


- log(X 10 ) 


= 1 


log(X 8 ) 


- log(X 10 ) 


= 26 


log(X 4 ) 


- log(X 10 ) 


= 6 


log(X 2 ) 


- log(X x ) 


= 1 


log(X 3 ) 


- log(X x ) 


= 26 


log(X?) 


- log(X x ) 


= 6 



According to the previous results, the same binary sequence is generated in 
cells 1, 2, 3 and 7 as well as the same sequence is produced in cells 10, 9, 8 and 
4. The phascshifts of the outputs 2, 3 and 7 relative to cell 1 are 1, 26 and 6 
respectively. Similar values are obtained in the other group of cells, that is cells 
4, 8 and 9 relative to cell 10. The rest of cells generate different sequences. 

Studying the distance among the shifted sequences and concatenating them, 
the original sequence can be reconstructed. Nevertheless, the shifts among the 
different shrunken sequences depend on the particular structure of the automa- 
ton considered. In fact, once the automaton is known the Bardell's algorithm 
has to be applied. 



6 Conclusions 

In this paper, the relationship between LFSR-based structures and cellular au- 
tomata have been stressed. More precisely, a particular family of LFSR-based 
kcystream generators, the so-called Shrinking Generators, has been analyzed 
and identified with a subset of linear cellular automata. In fact, a linear model 
describing the behavior of the SG has been derived. 

The algorithm to convert the SG into a CA-based linear model is very simple 
and can be applied to shrinking generators in a range of practical interest. The 
key idea of this algorithm is that the number of steps to be carried out is 
proportional to L\ instead of 2 Ll . 

Once the linear equivalent model has been developed, the linearity of this 
cellular model can be advantageously used in the analysis and/or cryptanalysis 
of the SG. Besides the traditional cryptanalitic attacks (e.g. the linear complex- 
ity attack that here requires half the sequence needed by the Berlekamp-Massey 
algorithm and the LCT attack), an outline of a new attack that exploits the 
weaknesses inherent to these CA has been introduced too. 
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The proposed linear model is believed to be a very useful tool to analyze the 
strength of the sequence produced by a SG as a keystream generator in stream 
ciphers procedures. 
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